> While testing interop of our DTLS implementation with openssl 0.9.8g I
> found an issue with openssl client handling the close notify alert from
> our server.
> After our server responds to the "GET /" it sends a close notify alert
> to close the connection.
> openssl gets the alert and decrypts it correctly but doesn't process the
> alert and enters a state where it is waiting for another record from the
> server.
> The problem appears to be in the following code in dtls1_read_bytes() in
> d1_pkt.c
>
>
> if (dest_maxlen > 0)
> {
> /* XDTLS: In a pathalogical case, the Client Hello
> * may be fragmented--don't always expect dest_maxlen bytes */
> if ( rr->length < dest_maxlen )
> {
> s->rstate=SSL_ST_READ_HEADER;
> rr->length = 0;
> goto start;
> }
>
> /* now move 'n' bytes: */
> for ( k = 0; k < dest_maxlen; k++)
> {
> dest[k] = rr->data[rr->off++];
> rr->length--;
> }
> *dest_len = dest_maxlen;
> }
> }
>
> In my case before " if (dest_maxlen > 0) " I have dest_max_len = 7 and
> rr_length = 2.
> The " if ( rr->length < dest_maxlen ) " causes a "goto start" where
> another call to
> dtls1_get_record() will take place, which is incorrect because the alert
> has not been handled.
> I am not sure what is the purpose of the " if ( rr->length < dest_maxlen
> ) "
> I can force the code to handle the alert if I if change the code to
> this: "if ( rr->length < dest_maxlen && (rr->type != SSL3_RT_ALERT))"
> This is just my own hack and may not be the correct action.
Addressed in 0.9.8i. See even RT#1632. A.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
